[dane] "Swede" likely not ready for production use

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 15:58 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4EE401A000E for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 07:58:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Zl0Li1JAVAbP for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 07:58:11 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F831A0013 for <dane@ietf.org>; Mon, 10 Nov 2014 07:58:11 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D8B002AB2F8; Mon, 10 Nov 2014 15:58:09 +0000 (UTC)
Date: Mon, 10 Nov 2014 15:58:09 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110155809.GV161@mournblade.imrryr.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org> <CANsiXEKRtJjJeOP4V3uHRdoSpuKZts=LtFAmOJJ2_byqbCZU4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANsiXEKRtJjJeOP4V3uHRdoSpuKZts=LtFAmOJJ2_byqbCZU4g@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/TRRDNZAJzZMcS8aqC0ac7YmJxLI
Subject: [dane] "Swede" likely not ready for production use
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 15:58:13 -0000

On Mon, Nov 10, 2014 at 01:13:15PM +0000, Terry Burton wrote:

> Also for reference Swede [1] can be invoked from Nagios as follows:
> define command {
>         command_name check_tlsa
>         command_line cd [nagios]/etc/swede && [nagios]/bin/swede
> verify -q $HOSTADDRESS$
> }

I don't believe that swede is sufficiently robust for this purpose:

    - No certificate signature checks or expiration checks for usage 2.
      (Invalid or expired chains pass)

    - Extraneous hostname check for usage 3.  (Valid certs fail)
      [Yes, I know the OPS draft has not yet been through WGLC) so
      the new semantics of DANE-EE with respect to hostname and
      expiration checks are not yet "standard".]

    - Unsafe hostname checks for usages 0, 1, 2 (remote name is
      used after insufficient input validation as a regular
      expression!).  The name checks are erroneously case sensitive
      for ASCII input.  (Valid names fail, invalid names pass, and
      possibly security issues depending on safety of using remotely
      provided regexps in Python)

Less critically, and for now also applicable to my Perl code:

    - Does not yet support UTF-8 (IDNA) hostnames.  The SNI extension
      is supposed to be UTF-8.  Name checks on DNS altNames are
      supposed to use ASCII-encoded A-labels.